It may have escaped the notice of prospective buyers, but cars have recently become a bit of a target for security researchers.

The latest example of this challenge sport has arrived from researchers at Dutch pen-testers Computest, who decided to see what security woes they could uncover in two 2015 models, the Volkswagen Golf GTE and an Audi A3 Sportback e-tron, both made by Volkswagen Audi Group (VAG).

True to their hunch, with a bit of hunting they eventually found a way into both cars through an insecure software service exposed by the Wi-Fi interface used by the car’s Harman In-Vehicle Infotainment (IVI) system.

Having burrowed in via Wi-Fi the researchers had a platform from which to hunt for further vulnerable components elsewhere in the car. After some effort they found a path to the IVI’s Control Area Network (CAN) bus.

This meant that:

Under certain conditions attackers could listen in to conversations the driver is conducting via a car kit, turn the microphone on and off, as well as gaining access to the complete address book and the conversation history.

And:

There is the possibility of discovering through the navigation system precisely where the driver has been, and to follow the car live wherever it is at any given time.

The car uses a different, high-speed CAN bus for vehicle-critical communication such as steering, door unlocking, park assist, and – yes – braking.

That high-speed CAN bus is precisely one component away from the compromised IVI CAN bus: the two are separated by a CAN bus gateway that acts as a firewall between the two.

It’s here that the researchers stopped.

…we decided to discontinue our research at this point, since this would potentially compromise intellectual property of the manufacturer and potentially break the law.

…the current attack vector poses no direct threat to driver safety. However, if an exploitable vulnerability in the gateway were to be found, the impact would significantly increase.

So, the researchers stopped themselves from attempting to bridge the gap to the cars’ most critical systems having removed most, but not all, of the barriers between it and the outside world.

The researchers reported their findings to VAG, which seems to have taken the issue seriously enough to invite them to come to its HQ in Germany to explain them.

The company later said it had patched the flaws that allowed access, although of course that would only fix new cars made from the point that firmware image became available.

Standing back, the research is telling us the car industry isn’t so different from many of the other sectors adding products to the internet of things (IoT).

First, there is not usually an over-the-air updating mechanism. The only way to fix a serious problem is to ask every car owner to visit the dealer for a service update, a hugely expensive and time-consuming task.

Then there’s the question of how well tested these systems are against hacking in the first place – the fact two pen testers were able to get inside the infotainment system suggests that all is not as it might be on that score. The same applies to the lack of any agreed system through which car makers tell owners about potential security issues in vehicle software.

The biggest weakness of all is simply that few car makers seem to have any responsible disclosure process for researchers to tell them about problems.

Note the researchers, ominously:

Ethical hackers should not be threatened but encouraged to disclose findings to the manufacturer.

This is a blind spot that it’s within the wit of car makers to fix, perhaps through the kind of managed bug bounty programme used routinely by big software companies.

This is an issue that does need attention. Car makers are used to the top-down approach to solving (usually mechanical) problems but with cars making increasing use of software they are going to have to wake up to increasing numbers of customers (and third party testers!) pointing out bugs or serious shortcomings/vulnerabilities and be responsive and deal with them. Recalls, their preferred method, will just not cut it these days with more and more customers quite used to carrying out OTA updates on their smartphones snd computers. Car makers must wake up!

Going forward car makers are going to have to consider ‘privacy by design’ when they get hyper excited over new connectivity features or GDPR fines are going to get expensive. Although I guess VAG could repeat their previous MO of gagging researchers legally rather than fixing the issue.